Passport scans are routinely collected to verify identities during the course of the hiring process, which suggests Akira's affiliate likely had access to a system containing staff-related data.
Company documents relating to accounting, finances, tax, projects, and clients are also said to be included in the archives grabbed by the cybercriminals, who are threatening to make the data public soon.
There is still no evidence to suggest customer data was exposed.
Akira's retro-vibe website separates victims into different sections: One for companies who didn't pay the ransom and thus had their data published, and another for those whose data is to be published on an undisclosed date.
A likely conclusion to draw, if the incident does indeed involve ransomware as the criminals claim, is that there may have been negotiations which have stalled, with Akira using the threat of data publication as a means to hurry along the talks.
Its representatives acknowledged the request but did not provide a statement in time for publication.
The statement came a day after a post was made to the unofficial Lush Reddit community.
Akira is better known for its extortion-only MO, which it adopted more recently in October 2023.
A recent report from researchers at Sophos revealed that they only responded to a single case that actually led to the deployment of a ransomware payload, and that was back in August 2023.
That said, this intel is limited only to Sophos's engagements - other incident response companies may have a different story to tell.
The group is primarily known for targeting organizations in the UK, Australia, and North America, and also its indiscriminate targeting of industries - anyone is fair game for them.
Blockchain data and the source code of Akira's ransomware payload both pointed to a relationship with Conti, itself a descendant of Ryuk, both of which were considered the most menacing ransomware operations of their times.
Akira is also believed to be behind the recent attack on Finnish IT service provider Tietoevry, which has affected a number of online services at Swedish government departments and some of the country's universities.
According to a press release, the attack was limited to only to one of Tietoevry's Swedish datacenters, and the incident is contained, but the company isn't sure how long it will take to fully recover.
This Cyber News was published on go.theregister.com. Publication date: Fri, 26 Jan 2024 12:43:05 +0000